2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-06-14 17:31:25 +00:00
|
|
|
"type": "bundle",
|
|
|
|
"id": "bundle--566067e0-5c54-45b4-8dff-4fae950d210b",
|
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "identity",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:06:05.000Z",
|
|
|
|
"modified": "2015-12-03T16:06:05.000Z",
|
|
|
|
"name": "CthulhuSPRL.be",
|
|
|
|
"identity_class": "organization"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "report",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "report--566067e0-5c54-45b4-8dff-4fae950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:06:05.000Z",
|
|
|
|
"modified": "2015-12-03T16:06:05.000Z",
|
|
|
|
"name": "OSINT Yara rules for GlassRAT in Loki IOC Scanner by Florian Roth",
|
|
|
|
"published": "2016-02-22T15:18:04Z",
|
|
|
|
"object_refs": [
|
|
|
|
"observed-data--566067f7-36c8-4f78-a805-4e92950d210b",
|
|
|
|
"url--566067f7-36c8-4f78-a805-4e92950d210b",
|
|
|
|
"indicator--56606809-fb5c-4835-a5d5-4608950d210b",
|
|
|
|
"indicator--56606821-6208-4b60-af62-4010950d210b",
|
|
|
|
"indicator--56606821-f258-47c4-9fcb-4c41950d210b",
|
|
|
|
"indicator--56606822-d054-44b2-b67b-4fe8950d210b",
|
|
|
|
"indicator--56606822-33d0-447d-b42d-47cf950d210b",
|
|
|
|
"indicator--56606823-c358-4baa-963b-4e40950d210b",
|
|
|
|
"indicator--56606823-81bc-48ab-aa81-43c0950d210b",
|
|
|
|
"indicator--56606823-4fb4-4f3a-8f81-4eb9950d210b",
|
|
|
|
"indicator--56606824-7770-448e-b80b-4a49950d210b",
|
|
|
|
"indicator--56606832-3264-4d41-801c-47f7950d210b",
|
|
|
|
"indicator--5660686a-9e9c-4945-96d9-434d950d210b",
|
|
|
|
"indicator--5660686b-7ad8-48e2-9616-447e950d210b",
|
|
|
|
"indicator--5660686b-b1ec-4228-852d-40e4950d210b",
|
|
|
|
"indicator--5660686b-a62c-4f7d-8d9b-4a32950d210b",
|
|
|
|
"indicator--5660686c-16e4-454a-b2d6-4a94950d210b",
|
|
|
|
"indicator--5660686c-f458-48df-abbd-4bd2950d210b",
|
|
|
|
"indicator--5660686d-30b0-446d-8355-4a59950d210b",
|
|
|
|
"indicator--56c6b4cf-0aa4-48e1-bb25-4912950d210f",
|
|
|
|
"indicator--56c6b4d1-a900-4d64-9153-5ca1950d210f",
|
|
|
|
"indicator--56c6b4d2-5618-438a-80da-c654950d210f",
|
|
|
|
"indicator--56c6b4d3-9080-447f-af68-59a0950d210f",
|
|
|
|
"indicator--56c6b4d5-be7c-41c3-b471-4c8b950d210f",
|
|
|
|
"indicator--56c6b4d6-d38c-44c9-8bd4-59a3950d210f",
|
|
|
|
"indicator--56c6b4d6-1c8c-4bdf-9e55-c653950d210f",
|
|
|
|
"indicator--56c6b4d7-3a44-4c01-b51c-4034950d210f",
|
|
|
|
"indicator--56c6b4d4-1f88-4975-86e7-c651950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"Threat-Report",
|
|
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
|
|
"type:OSINT"
|
|
|
|
],
|
|
|
|
"object_marking_refs": [
|
|
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--566067f7-36c8-4f78-a805-4e92950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:04:07.000Z",
|
|
|
|
"modified": "2015-12-03T16:04:07.000Z",
|
|
|
|
"first_observed": "2015-12-03T16:04:07Z",
|
|
|
|
"last_observed": "2015-12-03T16:04:07Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--566067f7-36c8-4f78-a805-4e92950d210b"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--566067f7-36c8-4f78-a805-4e92950d210b",
|
|
|
|
"value": "https://github.com/Neo23x0/Loki/blob/master/signatures/apt_glassRAT.yar"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56606809-fb5c-4835-a5d5-4608950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:04:25.000Z",
|
|
|
|
"modified": "2015-12-03T16:04:25.000Z",
|
|
|
|
"pattern": "[rule glassRAT\r\n{\r\n\tmeta:\r\n\t\tauthor = \"RSA RESEARCH\"\r\n\t\tdate = \"3 Nov 2015\"\r\n description = \"Detects GlassRAT by RSA (modified by Florian Roth - speed improvements)\"\r\n\t\tInfo = \"GlassRat\"\r\n\t\t/* MD5s\r\n\t\t\t37adc72339a0c2c755e7fef346906330\r\n\t\t\t59b404076e1af7d0faae4a62fa41b69f\r\n\t\t\t5c17395731ec666ad0056d3c88e99c4d\r\n\t\t\te98027f502f5acbcb5eda17e67a21cdc\r\n\t\t\t87a965cf75b2da112aea737220f2b5c2\r\n\t\t\t22e01495b4419b564d5254d2122068d9\r\n\t\t\t42b57c0c4977a890ecb0ea9449516075\r\n\t\t\tb7f2020208ebd137616dadb60700b847\t*/\r\n\tstrings:\r\n\t\t$bin1 = {85 C0 B3 01} \t\t/* \ttest eax, eax\r\n\t\t\t\t\t\t\t\t\t\t mov bl, 1 */\r\n\t\t// $bin2 = {34 02}\t\t\t\t// xor al, 2 ---> XOR key for rundll32.exe\r\n\t\t$bin3 = {68 4C 50 00 10}\t// push offset KeyName ; \"2\"\r\n\t\t$bin4 = {68 48 50 00 10}\t// push offset a3 ; \"3\"\r\n\t\t$bin5 = {68 44 50 00 10}\t// push offset a4 ; \"4\"\r\n\t\t$hs = {CB FF 5D C9 AD 3F 5B A1 54 13 FE FB 05 C6 22} // Initial Handshake ---> can be added or removed for hunting for different variants\r\n\t\t//$re1 = {50 00 00 00}\r\n\t\t//$re2 = {BB 01 00 00}\r\n\t\t// Dwords of C2 Ports (80 | 443 | 53) 2 -3 times\r\n\t\t$s1 = \"pwlfnn10,gzg\" // rundll32.exe XOR 02\r\n\t\t$s2 = \"AddNum\"\r\n\t\t$s3 = \"ServiceMain\"\r\n\t\t$s4 = \"The Window\"\r\n\t\t$s5 = \"off.dat\"\r\n\tcondition:\r\n\t\tall of ($bin*) and $hs and 3 of ($s*) //The conditions can be adjusted for hunting for different variants\r\n}]",
|
|
|
|
"pattern_type": "yara",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:04:25Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"yara\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56606821-6208-4b60-af62-4010950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:04:49.000Z",
|
|
|
|
"modified": "2015-12-03T16:04:49.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = '37adc72339a0c2c755e7fef346906330']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:04:49Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56606821-f258-47c4-9fcb-4c41950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:04:49.000Z",
|
|
|
|
"modified": "2015-12-03T16:04:49.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = '59b404076e1af7d0faae4a62fa41b69f']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:04:49Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56606822-d054-44b2-b67b-4fe8950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:04:50.000Z",
|
|
|
|
"modified": "2015-12-03T16:04:50.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = '5c17395731ec666ad0056d3c88e99c4d']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:04:50Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56606822-33d0-447d-b42d-47cf950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:04:50.000Z",
|
|
|
|
"modified": "2015-12-03T16:04:50.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'e98027f502f5acbcb5eda17e67a21cdc']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:04:50Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56606823-c358-4baa-963b-4e40950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:04:51.000Z",
|
|
|
|
"modified": "2015-12-03T16:04:51.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = '87a965cf75b2da112aea737220f2b5c2']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:04:51Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56606823-81bc-48ab-aa81-43c0950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:04:51.000Z",
|
|
|
|
"modified": "2015-12-03T16:04:51.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = '22e01495b4419b564d5254d2122068d9']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:04:51Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56606823-4fb4-4f3a-8f81-4eb9950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:04:51.000Z",
|
|
|
|
"modified": "2015-12-03T16:04:51.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = '42b57c0c4977a890ecb0ea9449516075']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:04:51Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56606824-7770-448e-b80b-4a49950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:04:52.000Z",
|
|
|
|
"modified": "2015-12-03T16:04:52.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'b7f2020208ebd137616dadb60700b847']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:04:52Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56606832-3264-4d41-801c-47f7950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:05:06.000Z",
|
|
|
|
"modified": "2015-12-03T16:05:06.000Z",
|
|
|
|
"pattern": "[rule GlassRAT_Generic {\r\n\tmeta:\r\n\t\tdescription = \"Detects GlassRAT Malware\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://blogs.rsa.com/peering-into-glassrat/\"\r\n\t\tdate = \"2015-11-23\"\r\n\t\tscore = 80\r\n\t\thash1 = \"30d26aebcee21e4811ff3a44a7198a5c519843a24f334880384a7158e07ae399\"\r\n\t\thash2 = \"3bdeb3805e9230361fb93c6ffb0bfec8d3aee9455d95b2428c7f6292d387d3a4\"\r\n\t\thash3 = \"79993f1912958078c4d98503e00dc526eb1d0ca4d020d17b010efa6c515ca92e\"\r\n\t\thash4 = \"a9b30b928ebf9cda5136ee37053fa045f3a53d0706dcb2343c91013193de761e\"\r\n\t\thash5 = \"c11faf7290299bb13925e46d040ed59ab3ca8938eab1f171aa452603602155cb\"\r\n\t\thash6 = \"d95fa58a81ab2d90a8cbe05165c00f9c8ad5b4f49e98df2ad391f5586893490d\"\r\n\t\thash7 = \"f1209eb95ce1319af61f371c7f27bf6846eb90f8fd19e8d84110ebaf4744b6ea\"\r\n\tstrings:\r\n\t\t$s1 = \"cmd.exe /c %s\" fullword ascii\r\n\t\t$s2 = \"update.dll\" fullword ascii\r\n\t\t$s3 = \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\RasAuto\\\\Parameters\" fullword ascii\r\n\t\t$s4 = \"%%temp%%\\\\%u\" fullword ascii\r\n\t\t$s5 = \"\\\\off.dat\" fullword ascii\r\n\t\t$s6 = \"rundll32 \\\"%s\\\",AddNum\" fullword ascii\r\n\t\t$s7 = \"cmd.exe /c erase /F \\\"%s\\\"\" fullword ascii\r\n\t\t$s8 = \"SYSTEM\\\\ControlSet00%d\\\\Services\\\\RasAuto\" fullword ascii\r\n\tcondition:\r\n\t\tuint16(0) == 0x5a4d and filesize < 15MB and 5 of them\r\n}]",
|
|
|
|
"pattern_type": "yara",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:05:06Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"yara\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5660686a-9e9c-4945-96d9-434d950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:06:02.000Z",
|
|
|
|
"modified": "2015-12-03T16:06:02.000Z",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '30d26aebcee21e4811ff3a44a7198a5c519843a24f334880384a7158e07ae399']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:06:02Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5660686b-7ad8-48e2-9616-447e950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:06:03.000Z",
|
|
|
|
"modified": "2015-12-03T16:06:03.000Z",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '3bdeb3805e9230361fb93c6ffb0bfec8d3aee9455d95b2428c7f6292d387d3a4']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:06:03Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5660686b-b1ec-4228-852d-40e4950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:06:03.000Z",
|
|
|
|
"modified": "2015-12-03T16:06:03.000Z",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '79993f1912958078c4d98503e00dc526eb1d0ca4d020d17b010efa6c515ca92e']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:06:03Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5660686b-a62c-4f7d-8d9b-4a32950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:06:03.000Z",
|
|
|
|
"modified": "2015-12-03T16:06:03.000Z",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'a9b30b928ebf9cda5136ee37053fa045f3a53d0706dcb2343c91013193de761e']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:06:03Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5660686c-16e4-454a-b2d6-4a94950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:06:04.000Z",
|
|
|
|
"modified": "2015-12-03T16:06:04.000Z",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'c11faf7290299bb13925e46d040ed59ab3ca8938eab1f171aa452603602155cb']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:06:04Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5660686c-f458-48df-abbd-4bd2950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:06:04.000Z",
|
|
|
|
"modified": "2015-12-03T16:06:04.000Z",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'd95fa58a81ab2d90a8cbe05165c00f9c8ad5b4f49e98df2ad391f5586893490d']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:06:04Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5660686d-30b0-446d-8355-4a59950d210b",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2015-12-03T16:06:05.000Z",
|
|
|
|
"modified": "2015-12-03T16:06:05.000Z",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'f1209eb95ce1319af61f371c7f27bf6846eb90f8fd19e8d84110ebaf4744b6ea']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2015-12-03T16:06:05Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56c6b4cf-0aa4-48e1-bb25-4912950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-02-19T06:23:11.000Z",
|
|
|
|
"modified": "2016-02-19T06:23:11.000Z",
|
|
|
|
"description": "Automatically added (via 37adc72339a0c2c755e7fef346906330)",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '3835394230f1e56633379eaba47a91141d61ec65']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-02-19T06:23:11Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56c6b4d1-a900-4d64-9153-5ca1950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-02-19T06:23:13.000Z",
|
|
|
|
"modified": "2016-02-19T06:23:13.000Z",
|
|
|
|
"description": "Automatically added (via 59b404076e1af7d0faae4a62fa41b69f)",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'e98f21692f12e37057aea3c721d8e97af7f41dd3']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-02-19T06:23:13Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56c6b4d2-5618-438a-80da-c654950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-02-19T06:23:14.000Z",
|
|
|
|
"modified": "2016-02-19T06:23:14.000Z",
|
|
|
|
"description": "Automatically added (via 5c17395731ec666ad0056d3c88e99c4d)",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'ee65b0604a6138256ab5aadaa18544d0bef52acd']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-02-19T06:23:14Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56c6b4d3-9080-447f-af68-59a0950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-02-19T06:23:15.000Z",
|
|
|
|
"modified": "2016-02-19T06:23:15.000Z",
|
|
|
|
"description": "Automatically added (via e98027f502f5acbcb5eda17e67a21cdc)",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'b4dde11be53c599f32bd43a0dcd86fe14a989fd4']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-02-19T06:23:15Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56c6b4d5-be7c-41c3-b471-4c8b950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-02-19T06:23:17.000Z",
|
|
|
|
"modified": "2016-02-19T06:23:17.000Z",
|
|
|
|
"description": "Automatically added (via 87a965cf75b2da112aea737220f2b5c2)",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '2947eb890f97d2fb11ddec7c987dd2f176a81eda']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-02-19T06:23:17Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56c6b4d6-d38c-44c9-8bd4-59a3950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-02-19T06:23:18.000Z",
|
|
|
|
"modified": "2016-02-19T06:23:18.000Z",
|
|
|
|
"description": "Automatically added (via 22e01495b4419b564d5254d2122068d9)",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '6008df16bca4fc234b2d654115d3a2f55b1defc6']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-02-19T06:23:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56c6b4d6-1c8c-4bdf-9e55-c653950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-02-19T06:23:18.000Z",
|
|
|
|
"modified": "2016-02-19T06:23:18.000Z",
|
|
|
|
"description": "Automatically added (via 42b57c0c4977a890ecb0ea9449516075)",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'c5dd7278180c260c28c252787e65bf3e99c4aee8']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-02-19T06:23:18Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56c6b4d7-3a44-4c01-b51c-4034950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-02-19T06:23:19.000Z",
|
|
|
|
"modified": "2016-02-19T06:23:19.000Z",
|
|
|
|
"description": "Automatically added (via b7f2020208ebd137616dadb60700b847)",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'f95c2a8aeb081ff849ec720045beffd6c9cb1bf4']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-02-19T06:23:19Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--56c6b4d4-1f88-4975-86e7-c651950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-02-19T06:23:16.000Z",
|
|
|
|
"modified": "2016-02-19T06:23:16.000Z",
|
|
|
|
"description": "Automatically added (via e98027f502f5acbcb5eda17e67a21cdc)",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '89317809806ef90bb619a4163562f7db3ca70768db706a4ea483fdb370a79ede']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-02-19T06:23:16Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Artifacts dropped"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Artifacts dropped\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "marking-definition",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
|
|
"definition_type": "tlp",
|
|
|
|
"name": "TLP:WHITE",
|
|
|
|
"definition": {
|
|
|
|
"tlp": "white"
|
|
|
|
}
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
|
|
|
}
|